denied avcs for kde again :(

Daniel J Walsh dwalsh at redhat.com
Mon Feb 16 18:34:15 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Am I the only that one that sees the following :
> 
> I think I am going crazy with these repeating avc's :(  
> 
> 
> Summary:
> 
> SELinux prevented kde4-config from writing .kde.
> 
> Detailed Description:
> 
> SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
> want to allow this. If .kde is not a core file, this could signal a intrusion
> attempt.
> 
> Allowing Access:
> 
> Changing the "allow_daemons_dump_core" boolean to true will allow this access:
> "setsebool -P allow_daemons_dump_core=1."
> 
> Fix Command:
> 
> setsebool -P allow_daemons_dump_core=1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:root_t:s0
> Target Objects                .kde [ dir ]
> Source                        kde4-config
> Source Path                   /usr/bin/kde4-config
> Port                          <Unknown>
> Host                          riohigh
> Source RPM Packages           kdelibs-4.2.0-10.fc11
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.6.5-3.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_daemons_dump_core
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.29-0.119.rc5.fc11.i586 #1 SMP
>                               Sat Feb 14 18:38:24 EST 2009 i686 athlon
> Alert Count                   3
> First Seen                    Thu 12 Feb 2009 08:38:18 AM CST
> Last Seen                     Mon 16 Feb 2009 06:56:52 AM CST
> Local ID                      8e781235-d7ca-4c98-b8c9-ed9dac40a2ff
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=riohigh type=AVC msg=audit(1234789012.965:7): avc:  denied  { create } for  pid=2245 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
> 
> node=riohigh type=SYSCALL msg=audit(1234789012.965:7): arch=40000003 syscall=39 success=no exit=-13 a0=82fc358 a1=1c0 a2=2f0438c a3=1 items=0 ppid=2244 pid=2245 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> 
> 
> 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No you are not the only one.

This is a bug in kde-login which thinks it's homedir is / and wants to
create a directory in the / directory.

I have also seen similar with it trying to create the directory in
/root.  Which is also somewhat bad.  I do not want to give login
programs the ability to write to these directories, because attackers
without passwords can get the login programs to execute large amounts of
codes without ever identifying themselves.  gdm is setup with a homedir
of /var/lib/gdm, which allows us to confine the gdm login program.

Kde login needs something similar,  I believe there is a bug on this,
but it would not hurt to open another.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmZsacACgkQrlYvE4MpobOTugCgp6QgNdLuOhpmfFllxKruNUyl
LhwAn2b4q5yTb2hL7C8mJsHbwYHmOdTh
=mRi+
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list